20 matches found
CVE-2023-44487
CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...
CVE-2022-28923
CVE-2022-28923 affects Caddy v2.4.6. The available sources describe an open redirect in the Caddy 2.4.6 open redirect vulnerability, where a crafted URL can redirect users to attacker-controlled sites, enabling phishing and potential data exposure. The practical impact is phishing-related credent...
CVE-2022-34037
CVE-2022-34037 describes an out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go of Caddy v2.5.1 , enabling a potential Denial of Service via a crafted URI. The OpenSUSE and OSV entries in the connected documents confirm the issue and indicate that an update to a fi...
CVE-2022-29718
CVE-2022-29718 affects Caddy v2.4 and is an open redirect vulnerability. An unauthenticated remote attacker can trick a user into clicking a crafted link, causing the user to be redirected to an arbitrary URL. Public references confirm the issue and indicate downstream fixes: openSUSE/SUSE backpo...
CVE-2018-21246
Caddy before 0.10.13 mishandles TLS client authentication due to missing StrictHostMatching, enabling an authentication bypass. Affected product: Caddy web server; vulnerability in TLS client auth handling (authentication bypass). CVE-2018-21246 is documented in multiple sources (GHSA, OSV, NVD, ...
CVE-2026-27588
Summary (CVE-2026-27588) Caddy (v2.x) vulnerability in the host matcher: when a large allowlist (>100 hosts) is configured, the MatchHost algorithm uses a fast path that enforces a case-sensitive comparison, which makes the host matching effectively case-sensitive and can bypass host-based rou...
CVE-2026-27590
Caddy prior to 2.11.1 is affected. The FastCGI path-splitting logic lowercased the request path to compute a split index, then used that index on the original path; Unicode can change byte length after lowercasing, causing SCRIPT_NAME/SCRIPT_FILENAME and PATH_INFO misalignment. This path confusio...
CVE-2026-27589
Summary: CVE-2026-27589 affects Caddy prior to 2.11.1. The local admin API (default at 127.0.0.1:2019) exposes a state-changing POST /load that can replace the running configuration. If origin enforcement is not enabled, the admin endpoint accepts cross-origin requests and applies an attacker-sup...
CVE-2018-19148
CVE-2018-19148 affects Caddy up to 0.11.0. When a request’s Host header cannot be matched to any vhost, Caddy serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests with nonexistent hostnames enable enumeration of all certificates and relationships amon...
CVE-2023-50463
The CVE-2023-50463 issue affects the caddy-geo-ip (GeoIP) middleware for Caddy 2 up to version 0.6.0. The vulnerability arises when trust_header X-Forwarded-For is used: an attacker can spoof their source IP address by manipulating X-Forwarded-For, potentially bypassing protection mechanisms such...
CVE-2026-45135
CVE-2026-45135 (Caddy) describes two Unicode bypass flaws in the FastCGI splitPos logic (modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) that mis-use golang.org/x/text/search with IgnoreCase when a non-ASCII byte appears in the request path. This can cause a non-.php file to be treated as a sc...
CVE-2026-27585
CVE-2026-27585 affects Caddy prior to 2.11.1 due to improper sanitization of backslashes in the file matcher’s path sanitization routine, which can bypass path-related security protections. The issue is fixed in version 2.11.1. Affected environment/configurations are specified as requiring cautio...
CVE-2026-52846
Summary: CVE-2026-52846 affects Caddy's stripHTML template function, which cannot reliably strip certain malformed HTML (e.g., <img src=x onerror=alert()>). This can bypass tag-stripping and may enable client-side XSS when untrusted strings are rendered as HTML. The issue originates in func...
CVE-2026-30852
Caddy 2.x versions are affected: from 2.7.5 up to 2.11.2 (inclusive of 2.7.5 through 2.11.1) have a vulnerability in vars_regexp where user-controlled input is double-expanded by the replacer. If a header like X-Input contains a placeholder such as {http.request.header.X-Input}, the header value ...
CVE-2026-27586
Summary (CVE-2026-27586): Caddy prior to 2.11.1 has two swallowed errors in ClientAuthentication.provision() that cause mTLS client authentication to silently fail open when the CA certificate file is missing, unreadable, or malformed. The server starts and accepts client certs signed by any syst...
CVE-2026-45692
CVE-2026-45692 (Caddy) describes a remote admin authorization bypass where the /config traversal layer and the authorization layer disagree on the target object. Specifically, from 2.4.0 through 2.11.3, an authorized path such as /config/apps/http/servers/srv/routes/0 could be used to access or m...
CVE-2026-27587
The CVE describes a vulnerability in Caddy’s path matching: before version 2.11.1, the HTTP path matcher is intended to be case-insensitive, but when the pattern contains percent-escape sequences (%xx) it compares against the request’s EscapedPath without lowercasing. This can allow bypassing rou...
CVE-2026-52845
Summary (CVE-2026-52845): Caddy 2.11.x contains a bypass in forward_auth copy_headers where, prior to 2.11.4, the exact client-supplied header was deleted but HTTP header names are later normalized to CGI variables, allowing an underscore alias to collide with a trusted header in FastCGI backends...
CVE-2026-52844
CVE-2026-52844 describes a Windows-specific path handling bug in Caddy prior to 2.11.4 where path matchers do not normalize backslashes, causing a request like /private%5csecret.txt to bypass path-scoped auth and reach the protected file, e.g., /private/*, through file_server. The issue is exploi...
CVE-2026-30851
CVE-2026-30851 (Caddy) affects Caddy server up to version 2.11.2. The issue is in forward_auth copy_headers, which fails to strip client-supplied headers, enabling identity injection and privilege escalation. This vulnerability is grounded in the component/behavior described across multiple sourc...